# users, kosmos.org
dn: cn=users,dc=kosmos,dc=org
objectClass: top
objectClass: organizationalRole
cn: users

# kosmos.org, users, kosmos.org
dn: ou=kosmos.org,cn=users,dc=kosmos,dc=org
objectClass: top
objectClass: organizationalUnit
description: Kosmos
ou: kosmos.org
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "service-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=service,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";)

# 5apps.com, users, kosmos.org
dn: ou=5apps.com,cn=users,dc=kosmos,dc=org
objectClass: top
objectClass: organizationalUnit
description: 5apps
ou: 5apps.com
aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "service-5apps-read-search"; allow (read,search) userdn="ldap:///uid=service,ou=5apps.com,cn=applications,dc=kosmos,dc=org";)

# admin role
dn: cn=admin_role,ou=kosmos.org,cn=users,dc=kosmos,dc=org
objectClass: top
objectClass: LDAPsubentry
objectClass: nsRoleDefinition
objectClass: nsComplexRoleDefinition
objectClass: nsFilteredRoleDefinition
cn: admin_role
nsRoleFilter: (&(objectclass=person)(admin=true))
description: filtered role for admins